Setting up web-facing xnat with nginx and https

Setting up web-facing xnat with nginx and https

XNAT is likely the best current database option for neuroimaging data, but the official documentation on it is lacking and potentially insecure. This guide will configure a XNAT server, which uses tomcat internally, to run via a web-facing nginx proxy server. This will be configured to run using https with certbot, which auto-manages let’s encrypt certificates. This guide was written with Ubuntu (14.04) in mind.

XNAT Config

We built our XNAT instance on top of the XNAT Vagrant project. This project installs and configures nginx, tomcat, postgresql, and java 7. We aren’t actually using Vagrant for anything, we just took advantage of the provision script provided by this project.

# install mercurial, and postfix (mail) for later...
sudo apt-get install mercurial postfix -y
hg clone xnat
cd xnat/

The script needs to be filled in with the network domain and host name. Then, the install process was:

sed -i '2 i set -e\nset -x'
sed -i "s#/vagrant#$PWD#g" # correct paths
sed -i "s/apt-get install/apt-get install -y/g" # make all apt-get calls install unattended
sed -i "s/*/" # set the mailserver to localhost
sudo bash # install

This will unpack xnat in /data/xnat/src/${version_number}. All of xnat’s processes will be run as the user xnat. You can edit many XNAT install settings in /data/xnat/src/${version_number}/ Info here.

Afterward, deploy XNAT:

sudo su xnat -c "source ~/.bashrc && bin/ -Ddeploy=true"
sudo service tomcat7 start

XNAT should be configured, and accessible through tomcat on your local machine. NB: XNAT uses port 8080 by default.

certbot config

Certbot is a script that generates a let’s encrypt certificate for your server, and also makes it trivial to auto-renew. Let’s say we want to install this in the home folder of a localadmin user:

cd /home/localadmin
chmod a+x certbot-auto
/home/localadmin/certbot-auto certonly

Select the ‘standalone’ option. This will generate a public and private certificate on your machine in /etc/letsencrypt:


The last thing we need to do is write a script that renews these certificates. We haven’t configured nginx yet, but renewing with certbot requires the server be taken offline briefly. Therefore the script will look something like:


# shut down nginx, renew certs, start nginx
nginx -s stop
/home/localadmin/certbot/certbot-auto renew

# keeps track of whether updates are running correctly
echo "last run on ${timestamp}" > /home/localadmin/certbot/last-run.log

nginx config

The next step is to configure xginx to proxy requests on port 443 (https) to tomcat at port 8080.

This is done via the configuration file found here: /etc/nginx/sites-available/srv-web.

Briefly, a nginx proxy configuration requires a server block, which configures connections, and a location block, which points to the specific tomcat instance we want the web to connect to.

The following configuration sets up a ssl listener on port 443 (https) with the certificates we just generated. This is then associated with the tomcat server we have running on port 8080.

We also set up a second server (listener) on port 80 (http) which simply redirects the user to port 443. This ensures all connection attempts are using https.

server {
    listen 443 ssl;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    location / {
        root /var/lib/tomcat7/webapps/xnat;
        proxy_pass                ;
        proxy_redirect                      off;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_connect_timeout               150;
        proxy_send_timeout                  100;
        proxy_read_timeout                  100;
        proxy_buffers                       4 32k;
        client_max_body_size                0;
        client_body_buffer_size             128k;

    access_log /var/log/nginx/srv-web.access.log;
    error_log /var/log/nginx/srv-web.error.log;

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$server_name$request_uri;

Run nginx -s reload to load these settings.

The majority of the location blocks of this configuration file was taken directly from XNAT’s guide on setting up a regular HTTP server.

tomcat config

The final step is to configure a ‘connector’ in tomcat that the urls it is formatting should be https. Internally, tomcat will not communicate using encryption, but needs to know that the nginx proxy is. Basically, it needs to be told explicitly that it’s being proxied through a SSL port (443). Below is the relevant snippit of /var/lib/tomcat7/conf/server.xml (otherwise known as ${CATALINA_HOME}/conf/server.xml). See here for more.

<Server port="8005" shutdown="SHUTDOWN">

  # removed for clairty

  <Service name="Catalina">

    <Connector port="8080"

  # removed for clairty


The key lines are the proxyName and proxyPort entries.

Finally, restart tomcat: sudo service tomcat7 restart.


This is what we just did:

  • install XNAT using XNAT Vagrant, which gets XNAT and tomcat going locally on port 8080.
  • set up certbot to generate and maintain our SSL certificates for HTTPS.
  • set up nginx to listen for secure HTTPS requests on port 443, using our certificates. These requests are routed to the insecure tomcat server at port 8080.
  • set up tomcat to listen for secure SSL data on port 8080 that originates from port 443.

Now XNAT is somewhat more secure, sitting behind nginx and SSL.